Um, and now it works :-) Thank-you Flo. Here is the config in case somebody else needs it:
* RSYSLOG SERVER input(type="imrelp" port="2514" maxDataSize="8k" tls="on" tls.caCert="/etc/rsyslog.d/ssl/company-ca.crt" tls.myCert="/etc/rsyslog.d/ssl/server.crt" tls.myPrivKey="/etc/rsyslog.d/ssl/server.key" tls.permittedpeer=["*.in.local", "*.oob.in.intra", "*.in.intra", "*.in.local" ] TLS.AuthMode="name" ) * RSYSLOG CLIENT action( type="omrelp" target="a-3005" port="2514" tls="on" tls.caCert="/etc/rsyslog.d/ssl/company-ca.crt" tls.myCert="/etc/rsyslog.d/ssl/client.crt" tls.myPrivKey="/etc/rsyslog.d/ssl/client.key" tls.permittedpeer=["*.in.local", "*.oob.in.intra", "*.in.intra", "*.in.local" ] TLS.AuthMode="name" name="syslog1-2514-out" queue.size="1024000" queue.filename="syslog1-2514.queue" queue.maxdiskspace="512m" queue.type="FixedArray" queue.maxfilesize="10m" queue.saveonshutdown="on" queue.discardseverity="5" action.resumeinterval="1" action.resumeretryCount="-1" action.reportsuspension="on" action.reportsuspensioncontinuation="on" ) From: Flo Rance [mailto:[email protected]] Sent: Friday, December 07, 2018 3:41 PM To: LOEWENTHAL Sophie Cc: rsyslog-users Subject: Re: [rsyslog] rsyslog RELP and TLS - creating the certificates Have you put it on both sides (client and server) ? I still don't see any "tls.authMode" section in your conf. So it might use something different than name, e.g. fingerprint. Have you tried to activate debug mode to see if it's more verbose ? Regards, Flo On Fri, Dec 7, 2018 at 3:01 PM [email protected] <[email protected]> wrote: Hi folks, I added the tls.permittedpeer part and had similar errors produced, input(type="imrelp" port="2514" maxDataSize="8k" tls="on" tls.caCert="/etc/rsyslog.d/ssl/company-ca.crt" tls.myCert="/etc/rsyslog.d/ssl/server.crt" tls.myPrivKey="/etc/rsyslog.d/ssl/server.key" tls.permittedpeer=["*be.local", "*.oob.intra", "*.intra"] ) 2018-12-07T14:48:45.173348+01:00 3005 rsyslogd: [origin software="rsyslogd" swVersion="8.39.0" x-pid="4636" x-info="http://www.rsyslog.com";] start 2018-12-07T14:48:45.384140+01:00 3005 rsyslogd: imrelp[2514]: error 'TLS handshake failed [gnutls error -54: Error in the pull function.]', object 'lstn 2514: conn to clt 192.168.101.34/2450.oob.intra' - input may not work as intended [v8.39.0 try http://www.rsyslog.com/e/2353 ] 2018-12-07T14:48:45.384156+01:00 3005 rsyslogd: imrelp[2514]: error 'TLS record write failed [gnutls error -10: The specified session has been invalidated for some reason.]', object 'lstn 2514: conn to clt 192.168.101.34/2450.oob.intra' - input may not work as intended [v8.39.0 try http://www.rsyslog.com/e/2353 ] > -----Original Message----- > From: rsyslog [mailto:[email protected]] On Behalf Of > sophie.loewenthal--- via rsyslog > Sent: Thursday, December 06, 2018 4:07 PM > To: Flo Rance > Cc: LOEWENTHAL Sophie; rsyslog-users > Subject: Re: [rsyslog] rsyslog RELP and TLS - creating the certificates > > I got this: > > 2018-12-06T15:38:59.909637+01:00 s3005 rsyslogd: imrelp[2514]: > authentication error 'peer did not provide a certificate', peer is '' > [v8.39.0 try > http://www.rsyslog.com/e/2353 ] > 2018-12-06T15:38:59.909646+01:00 s3005 rsyslogd: imrelp[2514]: error 'TLS > handshake failed [gnutls error -43: Error in the certificate.]', object > 'lstn 2514: > conn to clt ::1/localhost' - input may not work as intended [v8.39.0 try > http://www.rsyslog.com/e/2353 ] > > Best wishes, > Sophie > > From: Flo Rance [mailto:[email protected]] > Sent: Thursday, December 06, 2018 4:03 PM > To: LOEWENTHAL Sophie > Cc: rsyslog-users > Subject: Re: [rsyslog] rsyslog RELP and TLS - creating the certificates > > Oh, and you didn't provide any "tls.permittedpeer=["..."]" so the next error > that > you should see on the server side is something like: > > rsyslogd: imrelp[2514]: authentication error 'non-permited fingerprint', peer > is > '�� r� ' > rsyslogd: imrelp[2514]: error 'TLS handshake failed [gnutls error -43: Error > in the > certificate.]', object 'lstn 2514: conn to clt .... > > Regards, > Flo > > On Thu, Dec 6, 2018 at 3:47 PM [email protected] > <[email protected]> wrote: > Little more info whilst I was looking: > > > The rsyslog.conf configuration, > > The CLIENT has > action( > type="omrelp" > target="a-3005" > port="2514" > tls="on" > tls.caCert="/etc/rsyslog.d/ssl/company-ca.crt" > tls.myCert="/etc/rsyslog.d/ssl/client.crt" > tls.myPrivKey="/etc/rsyslog.d/ssl/client.key" > > The SERVER has > input( > type="imrelp" > port="2514" > maxDataSize="8k" > tls="on" > tls.caCert="/etc/rsyslog.d/ssl/company-ca.crt" > tls.myCert="/etc/rsyslog.d/ssl/server.crt" > tls.myPrivKey="/etc/rsyslog.d/ssl/server.key" > ) > > > CLIENT connects to server and gets this, > # openssl s_client -connect 3005:2514 -CAfile company-ca.crt -cert > client.crt -key client.key > CONNECTED(00000003) > 140081314850704:error:140770FC:SSL > routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:794: > --- > no peer certificate available > --- > No client certificate CA names sent > --- > SSL handshake has read 7 bytes and written 289 bytes > --- > New, (NONE), Cipher is (NONE) > Secure Renegotiation IS NOT supported > Compression: NONE > Expansion: NONE > No ALPN negotiated > SSL-Session: > Protocol : TLSv1.2 > Cipher : 0000 > Session-ID: > Session-ID-ctx: > Master-Key: > Key-Arg : None > Krb5 Principal: None > PSK identity: None > PSK identity hint: None > Start Time: 1544107265 > Timeout : 300 (sec) > Verify return code: 0 (ok) > --- > > This message and any attachments (the "message") is > intended solely for the intended addressees and is confidential. > If you receive this message in error,or are not the intended recipient(s), > please delete it and any copies from your systems and immediately notify > the sender. Any unauthorized view, use that does not comply with its purpose, > dissemination or disclosure, either whole or partial, is prohibited. Since the > internet > cannot guarantee the integrity of this message which may not be reliable, BNP > PARIBAS > (and its subsidiaries) shall not be liable for the message if modified, > changed or > falsified. > Do not print this message unless it is necessary, consider the environment. > > -------------------------------------------------------------------------------------------------- > -------------------------------- > > Ce message et toutes les pieces jointes (ci-apres le "message") > sont etablis a l'intention exclusive de ses destinataires et sont > confidentiels. > Si vous recevez ce message par erreur ou s'il ne vous est pas destine, > merci de le detruire ainsi que toute copie de votre systeme et d'en avertir > immediatement l'expediteur. Toute lecture non autorisee, toute utilisation de > ce message qui n'est pas conforme a sa destination, toute diffusion ou toute > publication, totale ou partielle, est interdite. L'Internet ne permettant pas > d'assurer > l'integrite de ce message electronique susceptible d'alteration, BNP Paribas > (et ses filiales) decline(nt) toute responsabilite au titre de ce message dans > l'hypothese > ou il aurait ete modifie, deforme ou falsifie. > N'imprimez ce message que si necessaire, pensez a l'environnement. > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T > LIKE THAT. _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
